workspace

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 26, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	RoleBindingName         = "workspace-role-binding"
	ResourceQuotaName       = "workspace-resource-quota"
	LimitRangeName          = "workspace-limit-range"
	NetworkPolicyName       = "workspace-network-policy"
	PeerAuthenticationName  = "workspace-peer-authentication"
	AuthorizationPolicyName = "workspace-authorization-policy"

	UserLabelPrefix = "user.otterscale.io/"

	// ConditionTypeReady is the condition type that indicates whether all
	// workspace resources have been successfully reconciled.
	ConditionTypeReady = "Ready"
)

Variables

This section is empty.

Functions

func AuthorizeCreation 

func AuthorizeCreation(ctx context.Context, reader client.Reader, userInfo authenticationv1.UserInfo, ws *tenantv1alpha1.Workspace, operatorSA string, maxPerUser int) error

AuthorizeCreation checks whether the requesting user is allowed to create a Workspace. Non-privileged callers must list themselves as an admin member of the new Workspace and must not exceed the per-user workspace quota.

maxPerUser controls the maximum number of workspaces a regular user may administer. A value of 0 disables quota enforcement.

Privileged callers (group, operator SA, or cluster-admin ClusterRole holders) bypass both the self-admin requirement and the quota.

Allowed callers (checked cheapest-first):

  • Members of a privileged group (system:masters, kubeadm:cluster-admins)
  • The operator's own ServiceAccount (operatorSA)
  • A user who is listed as an "admin" member in the new workspace AND under quota
  • A user bound to a privileged ClusterRole (e.g. cluster-admin) via ClusterRoleBinding

func AuthorizeModification 

func AuthorizeModification(ctx context.Context, reader client.Reader, userInfo authenticationv1.UserInfo, workspace *tenantv1alpha1.Workspace, operatorSA string) error

AuthorizeModification checks whether the requesting user is allowed to update the given Workspace. The workspace parameter must be the **old** (pre-update) object so that a user cannot grant themselves admin and approve in the same request.

reader is used to list ClusterRoleBindings for privileged ClusterRole checks. operatorSA is the full service account identity of the controller-manager (e.g. "system:serviceaccount:otterscale-system:tenant-operator-controller-manager"). It is provided at startup so the operator works regardless of the namespace it is deployed in.

Allowed callers (checked cheapest-first):

  • Members of a privileged group (system:masters, kubeadm:cluster-admins)
  • The operator's own ServiceAccount (operatorSA)
  • A workspace member whose role is "admin" in the current (old) spec
  • A user bound to a privileged ClusterRole (e.g. cluster-admin) via ClusterRoleBinding

func IgnoreNoMatchNotFound 

func IgnoreNoMatchNotFound(err error) error

IgnoreNoMatchNotFound ignores NoMatch errors and NotFound errors. This is useful when deleting Istio resources that may not exist in the cluster.

func IsOwned 

func IsOwned(refs []metav1.OwnerReference, uid types.UID) bool

IsOwned checks if the object is owned by the given UID to prevent adoption conflicts.

func LabelsForWorkspace 

func LabelsForWorkspace(workspace, version string) map[string]string

LabelsForWorkspace returns a standard set of labels for resources managed by this operator.

func OperatorServiceAccountIdentity 

func OperatorServiceAccountIdentity(namespace, saName string) string

OperatorServiceAccountIdentity constructs the full Kubernetes service account identity string from the pod namespace and service account name. Example: OperatorServiceAccountIdentity("otterscale-system", "controller-manager") returns "system:serviceaccount:otterscale-system:controller-manager".

func ReconcileLimitRange 

func ReconcileLimitRange(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileLimitRange applies default limits if defined, or deletes the range if removed.

func ReconcileNamespace 

func ReconcileNamespace(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string, istioEnabled bool) error

ReconcileNamespace ensures the Namespace exists and is properly labeled.

func ReconcileNetworkIsolation 

func ReconcileNetworkIsolation(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string, istioEnabled bool) error

ReconcileNetworkIsolation decides whether to use Istio or standard NetworkPolicy and reconciles all related resources.

func ReconcileResourceQuota 

func ReconcileResourceQuota(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileResourceQuota applies quota constraints if defined, or deletes the quota if removed.

func ReconcileRoleBindings 

func ReconcileRoleBindings(ctx context.Context, c client.Client, scheme *runtime.Scheme, w *tenantv1alpha1.Workspace, version string) error

ReconcileRoleBindings groups members by role and creates the necessary bindings.

Types

type NamespaceConflictError 

type NamespaceConflictError struct {
	Name string
}

NamespaceConflictError is a permanent error indicating the target namespace already exists but is not owned by this workspace.

func (*NamespaceConflictError) Error 

func (e *NamespaceConflictError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.